When I run a search I am using a time picker and select 24h, 7d, 30 and the search runs for this time. But I pulled in a ton of info today and it seems to be showing it pulled by time rather than creation date which is a field in the data called "Created". How do I get the time picker to search by created date or have a search so I can, for example, search between dates like 1st of Feb to present date based on the creation date field? thanks
To make splunk use a specific timestamp in your event, you need to look at the time related settings in props.conf for that source/sourcetype.
If those timestamps already get extracted into separate fields, you should also be able to search by them, although you might need to transform the string values to a proper timestamp first to allow any calculations/comparison functions to work properly. Have a look at the strptime eval function.
Thanks Frank but this seems very complicated for what i want to achieve and i am probably not explaining myself correctly.
So to recap i pulled in dump of data (10.000 events) and when i go to search this data using the default time from a raw search (non panels/dashboards) it will find the data and it uses the field i want it too search under (created) so i know the search actually works. So if i search for data using the standard search window an select 1.2.2018 to 31.2.2018 i will only get data that was created for this date range.
My issue is when i build a time dropdown box and tell a panel to search off this time picker dropdown box it gives me back all of the data and not just the one i specify.
Maybe its a simple solution ? thanks alot to all.
When i expand a panel search i see that the time is not the time that is created which is a separate field but it is the time the data was pulled in on which was all yesterday. So not sure why its doing this and not searching the same way when you do a raw search?
Ok thanks Frank
So a search i run is something like this
sourcetype="i.csv" ID!="#" | dedup ID | table ID,Status,Priority,Subject,Updated,Category,Hostname,Dept,Country,Created,Closed,Username | sort by _ID
This gives me the wrong data where it gives a table and in the _time column its just dates and times where the data was pulled in at not the creation time.
This only occurs when i do the search from a panel when i do a search from the normal search in splunk i get the answer i want to something is not being indexed correctly?
I cant show the data as you might understand but i hope that helps. I am going to try and run the searches again and then add the panels again. Other panels have geolocation based on the office location and then compares to a geolocations.csv and that too is showing all of the data and will not e.g. break down to 24 hours.
Frank the issue is when we pull in this data we are looking for the last 1000 records updated. Then pulling in that data. THe problem is its using the updated data as the _time column when it should be using the Created column. I dont know how we tell it too look at the Creation Column and set this as the field to search on not the updated column. If you have ideas i would love to hear them. Thanks